搭建ETCD集群(k8s学习四)


搭建ETCD集群

etcd 只在 sh0-21 sh0-30 sh0-31 搭建

使用运维主机sh0-50给etcd签发证书

cd /opt/certs/
vim ca-config.json

输入以下内容

{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "server": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
vim etcd-peer-csr.json

输入以下内容

把可能部署的所有IP记录写上

{
    "CN": "k8s-etcd",
    "hosts": [
        "192.168.0.20",
        "192.168.0.21",
        "192.168.0.30",
        "192.168.0.31"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "shenzhen",
            "L": "shenzhen",
            "O": "gy",
            "OU": "ops"
        }
    ]
}

签证书

输入命令

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bare etcd-peer

会生成以下文件

-rw-r--r--. 1 root root 1066 Feb 23 09:27 etcd-peer.csr
-rw-r--r--. 1 root root  377 Feb 23 09:23 etcd-peer-csr.json
-rw-------. 1 root root 1675 Feb 23 09:27 etcd-peer-key.pem
-rw-r--r--. 1 root root 1432 Feb 23 09:27 etcd-peer.pem

安装ETCD

在 021 030 031 安装

新增etcd用户

useradd -s /sbin/nologin -M etcd

下载etcd

创建目录 mkdir -p /opt/src/ && cd /opt

wget https://dl.serctl.com/downloads4/2020-12-08-11-15-38-download-etcd-v3.4.14-linux-amd64.tar.gz

自己下载, 这个是一个镜像, gihub官方太慢了, 未来可能都不能用

解压文件,创建软链接ETCD

[root@sh0-21 opt]# ll
total 0
drwx--x--x. 4 root      root       28 Feb 21 11:35 containerd
lrwxrwxrwx. 1 root      root       13 Feb 23 11:09 etcd -> etcd-v3.4.14/
drwxr-xr-x. 3 630384594 600260513 123 Nov 25 15:27 etcd-v3.4.14
drwxr-xr-x. 2 root      root       33 Feb 23 11:09 src

复制证书

创建目录

mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server

进入运维主机sh0-50发放证书给其他主机

for i in 21 30 31;do scp ca.pem etcd-peer.pem etcd-peer-key.pem sh0-${i}:/opt/etcd/certs/ ;done

创建etcd运行脚本

vim /opt/etcd/etcd-server-startup.sh

输入以下内容

IP 要按实际填写, 注意集群其他机器的IP

#!/bin/sh
# listen-peer-urls etcd节点之间通信端口
# listen-client-urls 客户端与etcd通信端口
# quota-backend-bytes 配额大小
# 需要修改的参数:name,listen-peer-urls,listen-client-urls,initial-advertise-peer-urls

WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit

/opt/etcd/etcd --name etcd-server-0-21 \
    --data-dir /data/etcd/etcd-server \
    --listen-peer-urls https://192.168.0.21:2380 \
    --listen-client-urls https://192.168.0.21:2379,http://127.0.0.1:2379 \
    --quota-backend-bytes 8000000000 \
    --initial-advertise-peer-urls https://192.168.0.21:2380 \
    --advertise-client-urls https://192.168.0.21:2379,http://127.0.0.1:2379 \
    --initial-cluster etcd-server-0-21=https://192.168.0.21:2380,etcd-server-0-30=https://192.168.0.30:2380,etcd-server-0-31=https://192.168.0.31:2380 \
    --cert-file ./certs/etcd-peer.pem \
    --key-file ./certs/etcd-peer-key.pem \
    --client-cert-auth  \
    --trusted-ca-file ./certs/ca.pem \
    --peer-cert-file ./certs/etcd-peer.pem \
    --peer-key-file ./certs/etcd-peer-key.pem \
    --peer-client-cert-auth \
    --peer-trusted-ca-file ./certs/ca.pem \
    --log-outputs stdout \
    --logger=zap

修改文件权限

chmod u+x /opt/etcd/etcd-server-startup.sh
chown -R etcd.etcd /opt/etcd/ /data/etcd /data/logs/etcd-server

安装supervisor

yum install -y supervisor
systemctl start supervisord ; systemctl enable supervisord

vim /etc/supervisord.d/etcd-server.ini

输入以下内容

[program:etcd-server-0-21]
command=/opt/etcd/etcd-server-startup.sh              ; the program (relative uses PATH, can take args)
numprocs=1                                            ; number of processes copies to start (def 1)
directory=/opt/etcd                                   ; directory to cwd to before exec (def no cwd)
autostart=true                                        ; start at supervisord start (default: true)
autorestart=true                                      ; retstart at unexpected quit (default: true)
startsecs=30                                          ; number of secs prog must stay running (def. 1)
startretries=3                                        ; max # of serial start failures (default 3)
exitcodes=0,2                                         ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                       ; signal used to kill process (default TERM)
stopwaitsecs=10                                       ; max num secs to wait b4 SIGKILL (default 10)
user=etcd                                             ; setuid to this UNIX account to run the program
redirect_stderr=true                                  ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                          ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=5                              ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                           ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                           ; emit events on stdout writes (default false)

更新supervisor

supervisorctl update

查看Supervisor执行的状态

supervisorctl status

查看日志

tail -fn 200 /data/logs/etcd-server/

查看etcd集群

etcdctl --write-out=table --endpoints=localhost:2379 member list

文章作者: Linty
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Linty !
  目录